import-scan or reimport-scan results in 400 Bad Request, Error: ["product_name parameter missing"]

[ryanbarrett]

Attempting to import a nmap scan via the API. Able to import via the swagger interface, unable with python and other items. Receiving: 400 Bad Request, Error: ["product_name parameter missing"]

Steps to reproduce
In the webui I created a product "TestProduct2" and added an engagement (id:2)
I'm able to query those items via the API.

I've tried passing in only the engagement (as mentioned in the swagger docs)
and I've tried to add the product_name parameter e.g. 'product_name':'TestProduct2', No change.

import os
import requests
import json

url = "http://<server>:8080/api/v2/import-scan/"
DD_API_TOKEN = os.getenv('DD_API_TOKEN')
headers = { 'content-type': 'multipart/form-data',
             'Authorization': f'Token {DD_API_TOKEN}', 
             'active': 'false', 'verified': 'false', 
             'engagement': '2',
             'scan_type': 'Nmap Scan',
             'file': './temp.xml;type=text/xml'
             } 
results  = requests.post(url=url,headers=headers)
print(f"{results} {json.loads(results.text)}")

Expected behavior
Expecting import of report as seen with the swagger interface.

Deployment method (select with an X)

• [X ] Docker Compose

Environment information

• DefectDojo version v. 2.20.2

Logs

uwsgi_1         | [29/Mar/2023 02:39:30] WARNING [django.request:241] Bad Request: /api/v2/import-scan/
nginx_1         | <clientip> - - [29/Mar/2023:02:39:30 +0000] "POST /api/v2/import-scan/ HTTP/1.1" 400 34 "-" "python-requests/2.27.1" "-"
uwsgi_1         | [pid: 1|app: -|req: -/-] <clientip> (-) {50 vars in 704 bytes} [Wed Mar 29 02:39:30 2023] POST /api/v2/import-scan/ => generated 34 bytes in 19 msecs (HTTP/1.1 400) 8 headers in 243 bytes (1 switches on core 0)

Sample scan files

Screenshots

Additional context (optional)

[sec-oops]

Looking at your code there, you're passing the form-data as part of the headers, rather than as part of the body of the request, hence your fields aren't being passed correctly the API to parse.

Here's my upload function I use for scans for reference on passing the fields + file as form-data.

def upload_scan(scan_results, scan_type, severity, product):
    today = date.today().strftime('%Y-%m-%d')
    data = {
        'scan_date': today,
        'scan_type': scan_type,
        'verified': False,
        'active': True,
        'minimum_severity': severity,
        'description': 'Created by automated script',
        'auto_create_context': True,
        'deduplication_on_engagement': True,
        'product_name': product,
        'engagement_name': 'LocalTesting'
    }
    files = {
        'file': ('scan_results.json', scan_results, 'application/json'),
    }
    response = requests.post(f'{DOJO_BASE_URL}/api/v2/import-scan/', headers={'Authorization': f'Token {DOJO_API_KEY}'}, data=data, files=files)
    pprint(response.json())
    if response.status_code == 201:
        print(f'{scan_type} scan results uploaded successfully for {product}')
    else:
        print(f'Error uploading {scan_type} scan results for {product}: {response.text}')

[manuel-sommer]

I guess this is rather something for the slack channel not a defectdojo related issue. You can close this @mtesauro